This is a slightly edited copy of an email I send to the mailing lists for my local hackspace, VHS. I run their mailing lists presently for historical reasons, but we're working on migrating them slowly.

Hi all,

Speaking as your email list administrator here. I've tried to keep the logs
below as intact as possible, I've censored only one user's domain as
being identifying information explicitly, and then two other recipient
addresses.

There have been a lot of reports lately of bounce notices from the list,
and users have correctly contacted me, wondering what's going on. The
bounce messages are seen primarily by users on Gmail and hosted Google
Apps, but the problems do ultimately affect everybody.

67.6% of the vhs-general list uses either gmail or google apps (347 subs of
513). For the vhs-members list it's 68.3% (both of these stats created by
checking if the MX record for the user's domain points to Google).

Google deciding that a certain list message is too much like spam, because of
two things:

because of content

because of DMARC policy

Content:

We CAN do something about the content.

Please don't send email that has one or twos, containing a URL and a
short line of text. It's really suspicious and spam-like.

DMARC policy:

TL;DR: If you work on an open-source mailing list app, please implement
DMARC support ASAP!

Google and other big mail hosters have been working on an anti-spam measure
called DMARC [1].

Unlike many prior attempts, it latches onto the From header as well as
the SMTP envelope sender, and this unfortunately interferes with mailing
lists [2], [3].

I do applaud the concept behind DMARC, but the rollout seems to be
hurting lots of the small guys.

At least person (Eric Sachs) at Google is aware of this [4]. There is no useful
workaround that I can enact as a list admin right now, other than asking
the one present user to tweak his mailserver if possible.

There is also no completed open source support I can find for DMARC.
Per the Google post above, the Mailman project is working on it [5], [6],
but it's not yet available as of the last release. Our lists run on
ezmlm-idx, and I run some other very large lists using mlmmj
(gentoo.org) and sympa; none of them have DMARC support.

The problem is only triggering with a few conditions so far:

Recpient is on a mail service that implements DMARC (and DKIM and SPF)

Sender is on a domain that has a DMARC policy of reject

Of the 115 unique domains used by subscribers on this list, here are all
the DMARC policies:

Only one of those includes a reject policy, but I suspect it's a matter of time
until more of them will include it. I'm going to use USERDOMAIN.ca here as the
rest of the example, and that user is indirectly responsible for lots of the rejects we
are seeing.

If the MAIL-FROM envelope address is on the list of list subscribers, your
message is accepted.

Step 3.0.

The list adjusts the mail to outgoing, and uses SMTP VERP [7] to get the mail
server to send the new message. This means it hands off a single copy of the
email, as well as a list of all recipients for the mail. Envelope from
address in this case will encode the name of the list and the number of
the mail in the archive.

If it was delivering to me (robbat2@orbis-terrarum.net), the outgoing
SMTP connection would look roughly like:

I don't implement DMARC on my domain. If my system bounced the email, it
would have gone to that address, and the list app would know that
message 18094 on list vhs-general bounced to user
robbat2@orbis-terrarum.net.

Step 3.2.

Google DOES implement DMARC, so lets run through that.

The key part of DMARC is that it takes the domain from the From header.